Skip to main content
Docs

Client Trust

Client Trust is Clerk's defense against credential stuffing attacks - a type of attack where bad actors use lists of stolen passwords to attempt to gain unauthorized access to user accounts.

When Client Trust is enabled, Clerk treats every new device as untrusted until the user has verified their identity with a .

How Client Trust works

Client Trust automatically requires a when all of the following conditions are met:

  1. The user enters a valid password.
  2. The user hasn't enabled multi-factor authentication (MFA).
  3. The user is signing in from a new device.

When these conditions are met, Clerk sends a to the user's email address or phone number. The user must enter this code to complete the sign-in process.

Note

If the user has already enabled MFA (such as an authenticator app or SMS verification), Client Trust will not trigger - their existing MFA method will be used instead.

Enable Client Trust

Client Trust is automatically enabled for Clerk applications created after November 14, 2025. For applications created before this date, you can enable Client Trust in the Clerk Dashboard:

  1. In the Clerk Dashboard, navigate to the Updates page.
  2. Enable the Client Trust update.

How Client Trust differs from traditional MFA

AspectClient TrustTraditional MFA
TriggerAutomatic on new devicesUser must enable it
Verification methodEmail/phone codeTOTP, SMS code, backup codes
User setup requiredNoneUser must configure their preferred method
When it appliesOnly for password sign-insAll sign-ins

Impact on custom sign-in flows

If you've built a that allows password-based sign-ins using the Clerk API or SDKs, you'll need to handle the needs_client_trust status that Client Trust can trigger.

When Client Trust requires verification, the sign-in attempt will return a status of needs_client_trust with email_code or phone_code in the supportedSecondFactors array. Your flow should:

  1. Check if the sign-in status is needs_client_trust.
  2. Check if email_code or phone_code is in the supportedSecondFactors array.
  3. Call prepareSecondFactor() to send the verification code to the user's email address or phone number.
  4. Collect the code from the user.
  5. Call attemptSecondFactor() to verify the code.
  6. If successful, set the session as active.

For a complete implementation example, see the email/password custom flow guide.

Tip

If your application supports both Client Trust and user-enabled MFA, make sure to handle both the needs_client_trust and needs_second_factor statuses. The needs_client_trust status is returned when Client Trust triggers on a new device, while needs_second_factor is returned when the user has MFA enabled on their account.

Limitations

  • Password-only: Client Trust only applies to password-based sign-ins. Passwordless authentication methods (such as email links, , passkeys, and OAuth) are not affected.
  • Email/Phone number required: Client Trust requires the user to have a verified email address or phone number to receive the verification code.

Feedback

What did you think of this content?

Last updated on

GitHubEdit on GitHub